Authentication with secondary approver

ABSTRACT

Techniques are provided for giving access to restricted content on a first device from a second device through a wireless network. In one embodiment, the first device transmits an authorization request signal to the second device or to a server in the wireless network. The second device, having received the authorization request, prompts an authorized user to give authorization to the first device by inputting an authentication key such as a password or gesture on the second device. Upon verification of the authentication key, an authorization signal may be wirelessly transmitted to the first device, permitting access to the restricted content or functions on the first device. In some embodiments, the second device may be alerted to an authorization request and may select a request for authorization from a selectable queue of requests.

BACKGROUND

The present disclosure relates generally to electronic devices, and morespecifically to authentication of an electronic device.

This section is intended to introduce the reader to various aspects ofart that may be related to various aspects of the present disclosure,which are described and/or claimed below. This discussion is believed tobe helpful in providing the reader with background information tofacilitate a better understanding of the various aspects of the presentdisclosure. Accordingly, it should be understood that these statementsare to be read in this light, and not as admissions of prior art.

Electronic devices, such as cellular telephones, computers, tablets, andso forth, are commonly used in many industries, and in a wide range ofapplications. Such electronic devices may contain various informationand functions, some of which may be confidential or restricted. Securingrestricted content on an electronic device may involve a configurationin which nonrestricted content may be generally accessible whilerestricted content is generally inaccessible without authorizationand/or authentication. To access such restricted content, a user may beauthenticated for accessing restricted content when an electronic deviceor system verifies the user's identity (e.g., by entering a correctlogin key or passcode), or a user may be authorized to access restrictedcontent when the device or system determines that the user has anappropriate access level for accessing or performing the restrictedcontent.

Conventionally, to access restricted content on an electronic devicerequiring a login key, a user with knowledge of the login key may inputthe login key in an user interface of the electronic device, whichgenerally requires the authorized user to physically interact with thedevice. Furthermore, a user who is not privileged with knowledge of thelogin key may sometimes need to access restricted content on a device,and may typically need further authorization before proceeding to accessthe restricted content. For example, a retail system may include severalelectronic devices, each including information or functions which haveaccess restrictions based on the access levels of the employees usingthe devices. An employee may sometimes need to access restricted contentthat the employee does not have access to, and in such instances,manager authorization may be required before the restricted content maybe accessed by the employee. However, the process of authorizing anemployee's access on the employee's device may be inefficient.

SUMMARY

A summary of certain embodiments disclosed herein is set forth below. Itshould be understood that these aspects are presented merely to providethe reader with a brief summary of these certain embodiments and thatthese aspects are not intended to limit the scope of this disclosure.Indeed, this disclosure may encompass a variety of aspects that may notbe set forth below.

Embodiments of the present disclosure relate to systems and methods forobtaining secondary authorization wirelessly. For example, a firstdevice may contain restricted content that cannot be access withoutauthorization from a second device. The present techniques allow thefirst device to send an authorization request signal to the seconddevice, and allow the second device to give or deny authorization to thefirst device by sending an authorization signal.

In some embodiments, the first device may be a retail transaction orinformation device used by an employee, and the second device may be asimilar or different device used by a manager. Thus, the employee mayobtain access to restricted content their device wirelessly from themanager's device, so long as the manager give the employee access fromthe manager's device

Various refinements of the features noted above may exist in relation tovarious aspects of the present disclosure. Further features may also beincorporated in these various aspects as well. These refinements andadditional features may exist individually or in any combination. Forinstance, various features discussed below in relation to one or more ofthe illustrated embodiments may be incorporated into any of theabove-described aspects of the present disclosure alone or in anycombination. Again, the brief summary presented above is intended onlyto familiarize the reader with certain aspects and contexts ofembodiments of the present disclosure without limitation to the claimedsubject matter.

BRIEF DESCRIPTION OF THE DRAWINGS

Various aspects of this disclosure may be better understood upon readingthe following detailed description and upon reference to the drawings inwhich:

FIG. 1 is a block diagram of components of an electronic device, inaccordance with aspects of the present disclosure;

FIG. 2 is a front view of a handheld electronic device in accordancewith aspects of the present disclosure;

FIG. 3 is a view of a computer for use in accordance with aspects of thepresent disclosure;

FIG. 4 is a representation of a secondary authorization system, inaccordance with the present disclosure;

FIG. 5 is a flowchart depicting a process of authorizing content on afirst device from a second device, in accordance with the presentdisclosure;

FIG. 6 is a screen of an electronic device indicating that authorizationis required to access content on the device, in accordance with thepresent disclosure;

FIG. 7 is a screen of the electronic device in FIG. 6 indicating that arequest for authorization has been transmitted to another device in thesecondary authorization system, in accordance with the presentdisclosure;

FIG. 8 is a screen of a second device indicating that an authorizationrequest is received, in accordance with the present disclosure;

FIG. 9 is an illustration of a progression of screens on a second deviceduring authorization of an authorization request, in accordance with thepresent disclosure; and

FIG. 10 is a screen of a second device having a queue of authorizationrequests, in accordance with the present disclosure.

DETAILED DESCRIPTION OF SPECIFIC EMBODIMENTS

One or more specific embodiments will be described below. In an effortto provide a concise description of these embodiments, not all featuresof an actual implementation are described in the specification. Itshould be appreciated that in the development of any such actualimplementation, as in any engineering or design project, numerousimplementation-specific decisions must be made to achieve thedevelopers' specific goals, such as compliance with system-related andbusiness-related constraints, which may vary from one implementation toanother. Moreover, it should be appreciated that such a developmenteffort might be complex and time consuming, but would nevertheless be aroutine undertaking of design, fabrication, and manufacture for those ofordinary skill having the benefit of this disclosure.

The present techniques involve a secondary authorization techniqueswhere a requesting device (also referred to as a first device) in asystem may wirelessly request and receive authorization to accessrestricted content on the first device from an authorizing device (alsoreferred to as a second device) in the system. Embodiments of thepresent techniques may be applied in a retail system involving a networkof electronic devices each having various functions, where the variousfunctions may have one or more access levels. For example, certainfunctions (e.g., accepting payment, accessing purchase history, etc.)may have a first access level and may be generally unrestricted to auser of the retail system (e.g., an employee) having the first accesslevel. However, other functions (e.g., accepting merchandise return,giving a discount, or overriding a warranty, etc.) may have a secondaccess level and may be restricted without authorization from a user(e.g., from a manager) having the second access level.

Conventionally, a manager may input an authorization key or login on thesame device used by the employee before the employee may perform arestricted function. In accordance with embodiments of the presenttechniques, an employee using a first device may wirelessly request andreceive approval from a manager using a second device to performotherwise restricted functions on the first device.

In some embodiments, an authorizing device may be able to giveauthorization to multiple requesting devices. Relating to the retailapplication previously mentioned, a manager may use one authorizingdevice to give authorization to multiple requesting devices from whichemployees may access restricted content. As may be common in retailsettings, each employee may be using a different first device located indifferent places throughout a retail setting. In some embodiments, themanager may not need to travel to the location of each employeerequiring access to restricted content. Rather, the manager may provideauthorization to each employee's devices wirelessly and withoutphysically traveling to each employee's respective location.

With these foregoing features in mind, a general description of suitableelectronic devices for implementing aspects of the present techniques isprovided. In FIG. 1, a block diagram depicting various components thatmay be present in electronic devices suitable for use with the presenttechniques is provided. In FIG. 2, one example of a suitable electronicdevice, here provided as a handheld electronic device, is depicted. InFIG. 3, another example of a suitable electronic device, here providedas a computer system, is depicted. Such electronic devices, as well asother electronic devices providing suitable storage and/or processingcapabilities, may be used in conjunction with the present techniques.Furthermore, suitable electronic devices may have wireless communicationcapabilities and may be able to wirelessly communicate with otherelectronic devices to perform the secondary authorization techniques ofthe present disclosure.

An example of a suitable electronic device may include various internaland/or external components which contribute to the function of thedevice. FIG. 1 is a block diagram illustrating the components that maybe present in such an electronic device 8 and which may allow the device8 to function in accordance with the techniques discussed herein. Aswill be appreciated, the various functional blocks shown in FIG. 1 mayinclude hardware elements (including application specific or genericcircuitry), software elements (including computer code stored on amachine-readable medium) or a combination of both hardware and softwareelements. It should further be noted that FIG. 1 is merely one exampleof a particular implementation and is merely intended to illustrate thetypes of components that may be present in a device 8. For example, inthe presently illustrated embodiment, these components may include adisplay 10, I/O ports 12, input structures 14, data processingcircuitry, such as one or more processors 16, a memory device 18, anon-volatile storage 20, expansion card(s) 22, a networking device 24,and a power source 26.

With regard to each of these components, the display 10 may be used todisplay various images generated by the device 8. The display 10 may beany type of display such as a cathode ray tube (CRT), a liquid crystaldisplay (LCD), a light emitting diode (LED) display, an organic lightemitting diode (OLED) display, or other suitable display. In certainembodiments of the electronic device 8, the display 10 may include atouch-sensitive element, such as a touch screen.

The I/O ports 12 may include ports configured to connect to a variety ofexternal devices, such as a power source or other electronic devices(such as handheld devices and/or computers, printers, projectors,external displays, modems, docking stations, and so forth). For example,in some embodiments, peripheral hardware attachments such as a creditcard reader, commonly referred to as a card sled, may be connected tothe device 8 through I/O ports 12. In some embodiments, informationobtained through the credit card reader may be transmitted to a suitableprocessor (e.g., processor 16). The I/O ports 12 may support anystandard or proprietary interface type, such as a universal serial bus(USB) port, a video port, a serial connection port, an IEEE-1394 port,an Ethernet or modem port, and/or an AC/DC power connection port.

The input structures 14 may include the various devices, circuitry, andpathways by which input or feedback is provided to data processingcircuitry, such as the processor 16. Such input structures 14 may beconfigured to control a function of the device 8 when actuated. Forexample, the input structures 14 may include buttons, sliders, switches,control pads, keys, knobs, scroll wheels, keyboards, mice, touchpads,and so forth. In certain embodiments, the input structures 14 may alsoinclude such components as global positioning system (GPS) circuitryand/or accelerometers that convey information about the location and/ororientation of the device 8 to the processors 16.

In certain embodiments, an input structure 14 and display 10 may beprovided together, such an in the case of a touch screen where a touchsensitive mechanism is provided in conjunction with the display 10. Insuch embodiments, the user may select or interact with displayedinterface elements via the touch sensitive mechanism. In this way, thedisplayed user interface may provide interactive functionality, allowinga user to select, by touch screen or other input structure, from amongoptions displayed on the display 10.

User interaction with the input structures 14, such as to interact witha user or application interface displayed on the display 10, maygenerate electrical signals indicative of the user input. These inputsignals may be routed via suitable pathways, such as an input hub orbus, to data processing circuitry, such as the processor(s) 16, forfurther processing.

The processor(s) 16 may provide data processing capability to executethe operating system, programs, user and application interfaces, and anyother functions of the electronic device 8. The processor(s) 16 mayinclude one or more microprocessors, such as one or more“general-purpose” microprocessors, one or more special-purposemicroprocessors and/or ASICS, or some combination of such processingcomponents. For example, the processor 16 may include one or morereduced instruction set (RISC) processors, as well as graphicsprocessors, video processors, audio processors and/or related chip sets.

The instructions or data to be processed by the processor(s) 16 may bestored in a memory 18. The memory 18 may be provided as a volatilememory, such as random access memory (RAM), and/or as a non-volatilememory, such as read-only memory (ROM). The memory 18 may store avariety of information and may be used for various purposes. Forexample, the memory 18 may store firmware executed by a processor 16(such as basic input/output instructions or operating systeminstructions, including instructions implementing non-alphanumericauthentication (e.g., authentication not based on keys or charactersfound on a keyboard) as discussed herein), other programs that enablevarious functions of the electronic device 8, user interface functions,processor functions. In addition, the memory 18 may be used forbuffering or caching during operation of the electronic device 8.

The components may further include a non-volatile storage 20 forpersistent storage of data and/or instructions. The non-volatile storage20 may include flash memory, a hard drive, or any other optical,magnetic, and/or solid-state storage media. The non-volatile storage 20may be used to store data files such as personal or business information(e.g., financial and other account information), software, wirelessconnection information (e.g., information that may enable the electronicdevice 8 to establish a wireless connection, such as a telephone orwireless network connection), and any other suitable data. In addition,the non-volatile storage 20 may also store code and/or data forimplementing various functions of the electronic device 8, such asapplication or program code, data associated with such applications orprograms, operating system code, user configured preferences, as well ascode for implementing secure user authentication as discussed herein.

The embodiment illustrated in FIG. 1 may also include one or more cardor expansion slots. The card slots may be configured to receive anexpansion card 22 that may be used to add functionality, such asadditional memory, I/O functionality, or networking capability, to theelectronic device 8. Such an expansion card 22 may connect to the devicethrough any type of suitable standard or proprietary connector, and maybe accessed internally or external to the housing of the electronicdevice 8. For example, in one embodiment, the expansion card 22 may beflash memory card, such as a SecureDigital (SD) card, mini- or microSD,CompactFlash card, Multimedia card (MMC), or the like.

The components depicted in FIG. 1 also include a network device 24, suchas a network controller or a network interface card (NIC). In oneembodiment, the network device 24 may be a wireless NIC providingwireless connectivity over any 802.11 standard or any other suitablewireless networking standard. The network device 24 may allow theelectronic device 8 to communicate over a network, such as a Local AreaNetwork (LAN), Wide Area Network (WAN), cellular network, or theInternet. Further, the electronic device 8 may connect to and send orreceive data with any device on the network, such as portable electronicdevices, personal computers, printers, and so forth. Alternatively, insome embodiments, the electronic device 8 may not include a networkdevice 24. In such an embodiment, a NIC may be added as an expansioncard 22 to provide similar networking capability as described above.

Further, the components may also include a power source 26. In oneembodiment, the power source 26 may be one or more batteries, such as alithium-ion polymer battery. The battery may be user-removable or may besecured within the housing of the electronic device 8, and may berechargeable. Additionally, the power source 26 may include AC power,such as provided by an electrical outlet, and the electronic device 8may be connected to the power source 26 via a power adapter. This poweradapter may also be used to recharge one or more batteries if present.

With the foregoing in mind, FIG. 2 illustrates an electronic device 8 inthe form of a handheld device 30, here a cellular telephone, which maybe used as a first device and/or a second device. It should be notedthat while the depicted handheld device 30 is provided in the context ofa cellular telephone, other types of handheld devices (such as mediaplayers for playing music and/or video, personal data organizers,handheld game platforms, and/or combinations of such devices) may alsobe suitable be provided as the electronic device 8. Further, a suitablehandheld device 30 may incorporate the functionality of one or moretypes of devices, such as a media player, a cellular phone, a gamingplatform, a personal data organizer, and so forth.

For example, in the depicted embodiment, the handheld device 30 is inthe form of a cellular telephone that may provide various additionalfunctionalities (such as the ability to take pictures, record audioand/or video, listen to music, play games, and so forth). As discussedwith respect to the generalized electronic device of FIG. 1, thehandheld device 30 may allow a user to connect to and communicatethrough the Internet or through other networks, such as local or widearea networks or cellular networks. For example, the handheld device 30may allow a user to communicate using e-mail, text messaging, instantmessaging, or other forms of electronic communication. The handheldelectronic device 30, may also communicate with other devices usingshort-range connections, such as Bluetooth and near field communication.By way of example, the handheld device 30 may be a model of an iPod® oriPhone®, or a derivative thereof, available from Apple Inc. ofCupertino, Calif. The handheld electronic device 30 may also be in theform of a tablet computer. By way of example, the tablet computer may bea model of an iPad®, or a derivative thereof, available from Apple Inc.of Cupertino, Calif.

In the depicted embodiment, a housing 32 includes input structures 14through which a user may interface with the device. Each input structure14 may be configured to help control a device function when actuated.For example, in a cellular telephone implementation, one or more of theinput structures 14 may be configured to invoke a “home” screen or menuto be displayed, to toggle between a sleep and a wake mode, to silence aringer for a cell phone application, to increase or decrease a volumeoutput, and so forth.

A display 10 of the handheld device 30 may be used to display agraphical user interface (GUI) 34 that allows a user to interact withthe handheld device 30. The GUI 34 may include various layers, windows,screens, templates, or other graphical elements that may be displayed inall, or a portion, of the display 10. Generally, the GUI 34 may includegraphical elements that represent applications and functions of theelectronic device. The graphical elements may include icons 36 and otherimages representing buttons, sliders, menu bars, and the like. The icons36 may correspond to various applications of the electronic device thatmay open upon selection of a respective icon 36. Furthermore, selectionof an icon 36 may lead to a hierarchical navigation process, such thatselection of an icon 36 leads to a screen that includes one or moreadditional icons or other GUI elements. The icons 36 may be selected viaa touch screen provided as the display 10 in certain embodiments, or maybe selected by a user input structure 14, such as a wheel or button.

In addition to handheld devices 30, such as the depicted cellulartelephone of FIG. 2, an electronic device 8 may also take the form of acomputer or other types of electronic device on which confidentialinformation might be stored and on which software code governing secureaccess to such information might be executed. Such computers may includecomputers that are generally portable (such as laptop, notebook, andtablet computers) as well as computers that are generally used in oneplace (such as conventional desktop computers, workstations and/orservers). In certain embodiments, the electronic device 8 in the form ofcomputer may be a model of a MacBook®, MacBook® Pro, MacBook Air®,iMac®, Mac® mini, or Mac Pro® available from Apple Inc.

By way of example, an electronic device 8 in the form of a laptopcomputer 50 is illustrated in FIG. 3 in accordance with one embodiment.The depicted computer 50 includes a housing 52, a display 10, inputstructures 14, and input/output ports 12. The input structures 14 (suchas a keyboard and/or a touchpad) may be used to interact with thecomputer 50, such as to start, control, or operate a GUI or applicationsrunning on the computer 50. For example, a keyboard and/or touchpad mayallow a user to navigate a user interface or application interfacedisplayed on the display 10. In addition, the input and output ports 12may allow connection of additional devices. For example, the computer 50may include an I/O port 12, such as a USB port or other port, suitablefor connecting to another electronic device, such as a handheldelectronic device 30.

In addition, as discussed with respect to the handheld device 30, thecomputer 50 may include data processing circuitry (such as one or moreprocessors), network connectivity, memory, and storage capabilities thatallow the computer 50 to store and execute a GUI and other applicationssuitable for implementing the present techniques. For example, thecomputer 50 may be capable of storing and executing programming codeencoding routines suitable for accessing confidential information orsecured applications or network connections using non-alphanumeric andnon-biometric inputs (e.g., gestures, sequences, and so forth). Further,to the extent that a computer 50 has network connectivity, suchconnectivity may be utilized to update or modify an existing applicationon the computer 50 to provide such functionality.

With the foregoing discussion in mind, it may be appreciated that theelectronic device 8 may be suitable for the secondary authorizationtechniques presented in this disclosure. FIG. 4 illustrates a secondaryauthorization system 58, which includes a first device 60, a seconddevice 62, a wireless network 64, an authentication server 65, and anapplication server 66. In some embodiments, the first device 60 and/orthe second device may be a handheld device 30 (FIG. 2), a laptopcomputer 60 (FIG. 3), or any other suitable electronic device 8.

The first device 60 may include various content and functionality, someof which may have different access restrictions. The first device 60 maybe used by a user with limited authority, henceforth known as a limitedauthority user. The first device 60 generally includes common content,which may include information or functions that are accessible by thelimited authority user without further authorization. In someembodiments, the first device 60 may request an initial login by thelimited authority user before the common content may be accessed. Forexample, the first device 60 may be configured to be able to performtasks such as completing a purchase transaction without additionalauthorization, as a purchase transaction may be an example of commoncontent. However, the first device 60 may not be able to perform amerchandise return transaction (i.e., transferring money onto a creditcard), as a return transaction may be an example of restricted content.In some embodiments, the first device 60 may transmit a secondaryauthorization request signal to the second device 62 via a wirelessnetwork 64 to request authorization.

The second device 62 may generally be used by a user having a higherlevel of authority, henceforth known as full authority user, and mayhave the authority to access restricted content, as well as giveauthorization to a limited authority user to access the restrictedcontent. The second device 62 may receive the secondary authorizationrequest, and a full authority user operating the second device 62 mayselect to authorize the restricted content corresponding to the receivedsecondary authorization request. To indicate authorization to the firstdevice 60, the second device 62 may transmit an authorization signal tothe first device 60, and the restricted content may then be accessiblefrom the first device 60.

The first device 60 and the second device 62 may communicate with eachother and other devices via the wireless network 64. The wirelessnetwork 64 may be a personal area network (PAN) such as a Bluetooth™network, a local area network (LAN) such as an 802.11 Wi-Fi network, awide area network (WAN) such as a 3G or 4G cellular network, and othersuitable wireless networks.

The authentication server 65 in the wireless network 64 may includeaccount data and/or identity data associated with accounts associatedwith the secondary authorization system 58. For example, accountinformation for each employee of the system 58 may be stored in theauthentication server 65. In some embodiments, the authentication server65 may include processing or control elements suitable for verifying auser's account, referred to as authenticating a user. For example, theauthentication server 65 may compare a user authentication input (e.g.,an identifying password, gesture, account name, etc.) with account datastored in an account database in the authentication server 65.

In some embodiments, the secondary authorization system 58 may alsoinclude an application server 66 connected in the wireless network 64.The application server 66 may be configured to proxy between the firstdevice 60 and the second device 62. The application server 66 may verifyany authentication inputs by accessing the authentication server 65. Ifauthentication is verified at the authentication server 65, theapplication server may be configured to transmit an authorization signalto the first device 60, and the restricted content may then beaccessible from the first device 60. In some embodiments, theapplication server 66 may also verify an authority level of anauthenticated user for performing a function, accessing content, orauthorizing access to content or functions. In some embodiments,processing components or data associated with authentication andauthorization may be stored in the second device 62.

FIG. 5 is a flowchart representing a secondary authorization process 66.FIGS. 6-10 are a series of exemplary screenshots which illustrate thefirst and second devices at various points in the secondaryauthorization process 66. As FIGS. 6-10 represent screens displayedduring the process illustrated in FIGS. 5 and 6-10 will be discussedconcurrently.

As illustrated in FIG. 5, the secondary authorization process 66 iscategorized into first device actions 68 and second device actions 70.The process 66 of obtaining secondary authorization is initiated whenthe first device 60 prompts (block 72) for authorization. FIG. 6 is anillustration of a screen on the first device 60 when the first device 60prompts for authorization. An authorization prompt 90 may be displayedon the screen 88. In some embodiments, the authorization prompt 90 mayinclude an accept button 92. Activating the accept button 92 mayindicate that the limited authority user is aware that authorization isrequired to proceed with accessing the desired restricted content. Insome embodiments, activating the accept button 92 the first device 60may initiate a request for authorization, and in other devices, thefirst device 60 may display an additional screen for confirming thetransmission of an authorization request signal. In differentembodiments, “activating” a button may be done by a number of actions,such as pressing, pushing, selecting, touching, and so forth, dependingon the configuration of the devices 60 and 62.

In some embodiments, upon initiation of an authorization request (e.g.,in response to activation of the accept button 92), the first device 60may display an input screen 94 (FIG. 7A), in which entry of a correctinput on the first device 60 may authorize the restricted content on thefirst device 60. For example, a full authority user may enter an inputdirectly on the first device 60 to give authorization to the restrictedcontent from the first device 60. In some embodiments, the first device60 may request an authorizing input directly into the first device 60when secondary authorization techniques are not available. For instance,the first device 60 may display an input screen 94 if a suitablewireless connection 64 between the first device 60 and the second device62 is not detected.

In some embodiments, a prompt 96 on the input screen 94 includes anaccount data field 98 and a password data field 100. Informationgenerally related to the identity of the user may be entered into theaccount data field 98, and information generally related to a securepassword may be entered into the password data field 100. In someembodiments, a user may use a keypad 102 to enter information in theaccount data field 98 and password data field 100. After the logininformation is entered, a continue button 104 may be selected, and thefirst device 60 may verify the entered information. A cancel button 106may also be displayed, and selection of this button 106 may cancel theauthorization request and return the first device 60 to a previous page.Correct entries in the account data field 98 and in the password datafield 100 may result in the authentication of a user having fullauthorization (and authority to authorize others) on the first device60, thereby authorizing access to the restricted content which initiatedthe authorization request

Additionally, as illustrated in FIG. 7B, one or more embodiments includeauthenticating a full authority user on the first device 60 through agesture login screen 136 on the first device. The gesture login 136includes a gesture node arrangement 138 including multiple gesture nodes140. The identity of the user may be verified when the user touches orswipes across the gesture nodes 140 in a predetermined fashion. Thecorrect pattern or path in which the gesture nodes 140 are selected is acryptographic key corresponding to an authorized user, such thatcorrectly touching the gesture map 138 allows the first device 60 toverify the identity and authorization level of the user. In someembodiments, a user may select between either the input screen 94 or thegesture login screen 136 for authentication on the first device 60.

Alternatively, in addition to authorization through the first device 60,the present techniques include requesting and receiving authorizationwirelessly, and from a different device (e.g., the second device 62).Referring back to FIG. 5, to initiate a secondary authorization process66, the first device 60 may transmit (block 74) the authorizationrequest signal 76 wirelessly in a wireless network 64. In someembodiments, the authorization request signal 76 may go through anapplication server 66 (FIG. 4) and undergo some processing before itreaches the second device 62. The second device 62 may receive (block78) the authorization request signal 76 and indicate (block 79) that theauthorization request 76 is received on the second device 62. FIG. 8 isan illustration of a screen 112 indicating that a secondaryauthorization request 76 has been received at the second device 62. Inthe illustrated embodiment, when a secondary authorization request 76 isreceived (block 78), an authorization request notification 110 mayappear on a screen 112 of the second device 62. As illustrated, theauthorization request notification 110 may include a message 114, anignore button 116, and/or a view button 118. The message 114 may includecontent related to the authorization request signal 76, such asinformation regarding the particular sender, time, and other relateddetails. Selection of the ignore button 116 may return the second device62 to its previous content or function, and selection of the view button118 may result in the second device 62 prompting (block 80) forauthentication and/or authorization.

FIG. 9 is an illustration of a progression of screens which may bedisplayed on the second device 62 involved in prompting (block 80) forauthentication and/or authorization in response to an authorizationrequest 76. As illustrated in FIG. 9, in some embodiments, the seconddevice 62 may display an authorization request details screen 120, apassword login screen 134, and a gesture login screen 136. In thepresent embodiment, the authorization request details screen 120 may bedisplayed after the authorized user activates the view button 118corresponding to the authorization request notification 110 (FIG. 8). Asillustrated in the present embodiment, the authorization request detailsscreen 120 may include information relating to the details of theauthorization request 76, such as an application name 122, anapplication function 124, and a requester name 126. The application name122 may indicate the application, program, and/or network through whichthe authorization request 76 is received. The application function 124may generally refer to a specific function or content that the firstdevice 60 is requesting to access. The requester name 126 may identifythe limited authorization user operating the first device 60 and/orrequesting the authorization.

In the present embodiment, the authorization request details screen 120may also includes a details window 128, which may show any additionalinformation regarding the authorization request such as the time,location, priority level, and so forth. The details window 128 may alsocontain other details or instructions regarding the authorizationrequest. For example, a user of the first device 60 may input additionaldetails or questions along with the authorization request. Theauthorization request details page 120 may also include a deny button130 and an approve button 132. A selection of the deny button 150 maydeny the authorization request, and a selection of the approve button132 may approve the authorization request. In some embodiments, once theapprove button 132 is selected, the second device 62 may requestauthentication to verify the identity of the current user of the seconddevice 60. Successful authentication may also result in authorization inresponse to the authorization request if the authenticated user indeedhas authorization to grant authorization to the authorization request.

Two embodiments for authenticating a full authority user on the seconddevice 62 are represented in FIG. 9. Similar to the input screen 94 andgesture screen 136 discussed with respect to FIGS. 7A and 7B,authentication on the second device 62 may also involve an input screen134 and a gesture screen 136. In one embodiment, the input screen 134,includes an account data field 98 and a password data field 100.Information generally related to the identity of the user, may beentered in the account data field 98, and a password may be entered inthe password data field 100. The screen 134 may also include a cancelbutton 104 and a continue button 106. Selection of the cancel button 104may exit the secondary authorization process. The continue button 106may become active after the user enters information in the account datafield 98 and the password data field 100. If the continue button 106 isselected, the second device 62 may analyze the entered information todetermine whether the entries made in the account data field 98 and thepassword data field 100 correspond to an account having authorization toauthorize access to the restricted content on the first device 60. Inthe present embodiments, a user may use a keypad 102 to input accountdata and password data.

In some embodiments, a second device 62 may also authenticate a user ona gesture login page 136. The gesture login page 136 may include agesture node arrangement 138 having multiple gesture nodes 140.Generally, a user may contact the gesture nodes in a path or patternwhich may be compared to a previously stored path or pattern forauthentication of a user on the second device 62. As a full authorityuser may have a unique path of pattern in interfacing with the gesturemap, correctly touching the nodes 140 and/or gesture login 138 ongesture login page 136 may authenticate the identity of the fullauthority user, and thereby grant authorization to the authorizationrequest from the second device 62. The screen 136 may also include acancel button 104 and a continue button 106, where selecting the cancelbutton 104 may exit the secondary authorization process on the seconddevice 62, and selecting the continue button 106 may prompt the seconddevice 62 to verify the entered gesture.

In some embodiments, in order to obtain authentication, the seconddevice 62 may transmit the authentication input data, such as thepassword input or gesture input data to the authentication server 65,where it is generally authenticated by comparing the authenticationinput to a database of stored authentication keys. The authenticationserver 65 may match the authentication input with stored authenticationkeys in an account database in the authentication server 65 toauthenticate the second device 64.

In some embodiments, the second device 62 may not prompt (block 80) forauthentication before transmitting authorization to the first device 60.For example, in some embodiments, the second device 62 may transmit(block 82) an authorization signal 83 in response to simply selecting anapprove button (e.g., the approve button 132). In some embodiments, thesecond device 62 may require authentication of the full authority userwhen initially activating the second device 62 before the second device62 can authorize secondary authorization requests. As such, the fullauthority user may not need to be authenticated to authorize eachsecondary authorization request.

Once approval is selected on the second device 62 and/or once the seconddevice 62 authenticates a full authority user, the second device 62 maytransmit (block 82) an authorization signal 83 to the first device 60via the wireless connection 64. The first 60 device may then receive(block 84) the authorization signal 83. In response to receiving (block84) the authorization signal 83, the first device 60 may access (block84) the restricted content.

In some embodiments, the authorization signal 83 may be transmitted bythe second device 62 to the first device 60 through the applicationserver 66. For example, after authentication on the authenticationserver 65, the application server 66 may transmit the authorizationsignal 83 to the first device 60. In some embodiments, the applicationserver 66 may receive the authentication input data from the seconddevice 62 and relay the data to the authentication server 65 forauthentication. Other non-authorization related communication betweenthe first device 60 and the second device 62 may also be supported bythe application server 66. Furthermore, the application server 66 mayalso continue to monitor and/or record use of the restricted content onthe first device 60 after the first device 60 accesses the restrictedcontent. It should be noted that while the present disclosure refers totransmissions of the authorization request, authentication input, andthe authorization signal between the first device 60 and the seconddevice 64, any or all of these transmissions may pass through theauthentication server 65 and/or the application server 66 in thewireless network 64.

In one or more embodiments, when a first device 60 receivesauthorization and is able to access the restricted content, the firstdevice 60 may have access to the restricted content for a limited amountof time, and/or for the duration of a function. Furthermore, the firstdevice 60 may have access only to the specific content or function forwhich it has requested and received authorization.

In some embodiments, the second device 62 may receive secondaryauthorization requests from more than one device. FIG. 10 is anillustration of an authorization request queue screen 150 which may bedisplayed by the second device 62 in some embodiments. The authorizationrequest queue screen 150 may indicate a number 152 of total requests,and include a queue 153 of one or more authorization requests 154. Inthe present embodiment, each authorization request 154 may furtherinclude details corresponding to each request in the queue 153, such asa requester name 126, an application name 122, an application function124, and a time of request 156. As illustrated in FIG. 10, authorizationrequests may be received from different requesters, who may be limitedauthority users each using different devices. In some embodiments, thefull authority user using the second device 62 may select anauthorization request from the queue 153 to view and approve or deny. Insome embodiments, an authorization request may be selected from thequeue 153 regardless of order in which it appears in the queue 153.

In one or more embodiments, a requesting device may send additionalauthorization requests to more than one authorizing device. For example,when making an authorization request, the first device 60 may be able todetermine, via the wireless network, which authorizing devices areactive (e.g., in operation and/or accepting secondary authorizationrequests). The requesting device may be configured to send anauthorization request to all active authorizing devices. The requestingdevice may also be configured to automatically send the authorizationrequest to a specific authorizing device, chosen based on variousdetectable parameters, such being closest in distance, having theshortest authorization request queue, and so forth. The requestingdevice may also be configured to allow the user of the requesting deviceto select the authorizing device(s) to send the secondary authorizationrequest. For example, a requesting device may display the identity ofspecific authorized users operating the authorizing devices and allowthe selection of a particular authorized user and/or authorizing devicefor sending the secondary authorization request signal.

In one or more embodiments, the requesting device may also be configuredto send a message to an authorizing device or advising the authorizeduser to go to the location of the requesting device and limitedauthority user. The authorizing device may be configured to indicate thephysical location of the requesting device to the full authority user sothat the full authority user may be able to find the limited authorityuser (e.g., in the location of a retail store). For instance, if thelimited authority user has a more complex problem that cannot beeffectively solved by simply sending a secondary authorization request,more in-depth assistance may be requested using the secondaryauthorization techniques.

Furthermore, one or more embodiments may include an automatic approvalfor certain authorization requests, where an approving device mayautomatically approve requests without additional action from the fullauthority user. For example, the second device may automatically approvecertain secondary authorization requests or requests received by certainrequesting devices. Accordingly, such decisions regarding automatedapproving of authorization requests may also be stored and/or processedon the application server 66.

The specific embodiments described above have been shown by way ofexample, and it should be understood that these embodiments may besusceptible to various modifications and alternative forms. It should befurther understood that the claims are not intended to be limited to theparticular forms disclosed, but rather to cover all modifications,equivalents, and alternatives falling within the spirit and scope ofthis disclosure.

What is claimed is:
 1. A system, comprising: a first display deviceconfigured to request authorization by transmitting a request signalbefore performing a restricted activity, receive an authorizing signal,and perform the restricted activity in response to receiving theauthorizing signal; and a second display device configured to receivethe request signal from the first device, display an authenticationinput for authenticating an authorized user of the second device,display an authorization input for authorizing the restricted activityon the first device, and wirelessly transmit the authorizing signal ifthe second device is authenticated and if the first device isauthorized.
 2. The system of claim 1, comprising an authenticationserver, wherein the authorization input is transmitted from the seconddevice to the authentication server for authentication.
 3. The system ofclaim 1, comprising an application server configured to wirelesslytransmit the authorizing signal from the second device to the firstdevice.
 4. The system of claim 1, wherein the first device is configuredto receive an authentication input for authenticating an authorized useron the first device.
 5. The system of claim 4, wherein theauthentication input comprises a text input, a gesture input, or anoption between the text input and the gesture input.
 6. The system ofclaim 1, wherein the first device is one of a portable electronic deviceand a stationary electronic device and the second device is one of aportable electronic device and a stationary electronic device.
 7. Thesystem of claim 1, wherein the first device is configured to transmit arequest signal to more than one second device.
 8. The system of claim 1,wherein the second device is configured to receive request signals fromand send authorizing signals to a plurality of first devices.
 9. Thesystem of claim 1, wherein the second device is configured to queuereceived authorization requests from one or more first devices.
 10. Thesystem of claim 9, wherein the second device is configured to displaythe authorization input for a selected one of the queued authorizationrequests.
 11. The system of claim 1, wherein the first device isconfigured to select one of a plurality of second devices fortransmitting the authorization request signal.
 12. The system of claim1, wherein the authentication input on the second devices comprises atext input, a gesture input, or an option between the text input and thegesture input.
 13. The system of claim 1, wherein the second device isconfigured to display the authentication input to authenticate theauthorized user for a session, and the second device is configured totransmit the authorizing signal to the first device if the first deviceis authorized without additionally authenticating the authorized user onthe second device during the session.
 14. The system of claim 1, whereinthe second device is configured to authenticate the authorized user onthe second device in response to each received authorization requestsignal, before transmitting each respective authorization signal. 15.The system of claim 1, wherein at least one of the first device and thesecond device is a touch screen device.
 16. A method of obtainingwireless authorization on a first device from a second device,comprising: wirelessly transmitting an authorization request signal fromthe first device to the second device in response to receiving a requestto perform a restricted function on the first device; receiving theauthorization request signal on the second device; displaying anauthentication input on the second device, wherein the authenticationinput comprises a first input to authorize the first device and a secondinput to decline authorization to the first device; wirelesslytransmitting an authorization signal to the first device if the positiveinput is selected; receiving the authorization signal on the firstdevice; and enabling performance of the restricted function on the firstdevice when the authorization signal is received on the first device.17. The method of claim 16, comprising displaying an authenticationinput on the second device if the positive input is selected.
 18. Themethod of claim 16, comprising displaying the authorization input on thesecond device comprises displaying a third input, wherein selection ofthe third input results in queuing authorization request signal.
 19. Themethod of claim 16, comprising displaying a queue comprising a list of aplurality of received authorization request signals, wherein displayingthe authorization input comprises displaying the authorization input fora selected one of the plurality of received authorization requestsignals in the queue.
 20. The method of claim 17, comprisingtransmitting the authentication input to an authentication serverconfigured to authenticate the authentication input.
 21. The method ofclaim 16, wherein wirelessly transmitting an authorization signal to thefirst device comprises transmitting the authorization signal from asecond device through an application server to the first device.
 22. Aretail transaction system, comprising: a first device comprising commoncontent and restricted content, wherein the first device is configuredto request authorization in response to an attempt to access therestricted content and wirelessly receive an authorizing signal grantingaccess to restricted content on the first device; a second displaydevice configured to receive the request for authorization; and awireless network through which the first device and the second devicewirelessly communicates, wherein the second device transmits theauthorizing signal over the wireless network.
 23. The retail transactionsystem of claim 22, wherein the second device is configured to requestauthentication from an authorized user of the second device before theauthorizing signal is received by the first device.
 24. The retailtransaction system of claim 23, wherein the second device is configuredto receive an authentication input in response to requestingauthentication, wherein the authentication input is authenticated by anauthentication server connected in the wireless network.
 25. The retailtransaction system of claim 22, wherein the second device is configuredto request either a text-based authentication or a gesture-basedauthentication from an authorized user before transmitting theauthorizing signal.
 26. The retail transaction system of claim 22,wherein the first device is one of a portable device and a stationarydevice and the second device is one of a portable device and astationary device.
 27. The retail transaction system of claim 22,wherein the authorizing signal grants the first device access to therestricted content for a limited time.